Tuesday, December 04, 2007

Full Disclosure is dead

Businesses must realize that full disclosure is dead, a contributed article I wrote for SC Magazine. This is nothing like my usual webappsec banter, nor is it the stereotypical FD talking points everyone has heard and debated a million times before. Instead I tried to articulate my current views on the subject of vulnerability disclosure, which are probably very different than most, and where I believe the industry is heading.

“Full Disclosure is dead. Let me explain why. The information security world has changed, even if some don't see it or are unwilling to accept it. Vulnerability disclosure discussions based upon ethics are morally antiquated and naïve at best considering today's cyber-security climate...”

One thing I forgot to mention is that the many software vendors will try to capitalize on the fact that less vulnerabilities will get reported and say it's result of "more secure software".

8 comments:

I think there is still FD, but only in much smaller doses. So many of the researchers of yesterday are now "growed up" and really are professional security researchers that have some integrity to protect, and an industry to build (and maybe mouths to feed!).

There are far fewer hobbyist types of researchers these days, especially outside the ranks of minors. It is in the hobbyist group that FD is still viable...or maybe those people who accidentally discover vulns and otherwise don't know about the industry at all.

Still, good article and excellent points. You either profit (rep, jobs, or money) if you responsibly disclose or you profit if you keep it hidden in the black market.

As far as I am concerned, the reactive methodology of major business is why this is such an issue. In other words, it is not an issue, no matter how glaringly obvious, until it is a problem for me...and even then it is all about saving face. This technology is not new...it is out there, they are simply unwilling to be proactive. Which is fine however I am tired of hearing them cry about it when they throw craps! This is the "It is all about me" philosophy...How many retailers are heeding the TJX scenario and taking on the security initiative that are? Probably none...it didn't happen to them, I haven't read any articles stating anything to the contrary. I have worked for a major company (10th largest global retailer) who's systems have been totally compromised and have done absolutely nothing about it aside from a barage of media control crap and some pointless process implementation that is pencil whipped everytime. Nothing is safe, we have just been lucky enough to this point that some evil genuis hasen't decided to nuke the whole thing. On the topic of software vendors not wanting to pay for discovered vulnerabilities and then having the audacity to try to control the release of that information...insane. These companies should "man-up" and set up a public contact site where you can submit a bug and it be rated by a system paying you based on your dicoveries magnitude. At some point in every security "researchers" career, you say to yourself..."I wish I could get paid for my hard work...there is value in my skill"... At that point you decide, based on the ease of solution and some moral fiber which path you will take. That of the patient reseacher who may never get paid, a thank you or possibly some jail time or that of the underground entrepreneur who WILL get paid. If people think they can get away with it, they will. That has been proven time and time again throughout history. These players need to realize that their is just no such ting as secure software...and vnever will be until humans stop using it. It is the same concept as absolute safty in unplugging your box from the Internet. Just come forward with the truth, honestly work with the community that desperatly wants to be a part of the solution and eveyone wins. Great article by the way.

Thanks guys, glad you enjoyed the article. I just thought someone had to say out loud what many of us were already thinking. That the infosec landscape has changed and is changing as are its participants. The culture we group in is not the environment in which we exist. Vulnerabilities are in mass supply and you can't depend and wait on the goodness of others to tell you about a flaw when you are responsible for sensitive data.

This may be a bit off topic but here goes...I was reading through a text I have about trojans and worms and I am really upset, or more to the point sick and tired, that they do not post an actual coded variant. What is the big stigma...? Here is my issue, why can I go out and buy a gun from Walmart, yet I cannot find a single text book, article or anything that posts are real virus? What a bunch of crap. Honestly I am much more in fear of some idiot with a gun than with a virus, especially one (virus) that has been patched months or years ago. Why is everything such a secret? I propose this, anyone who has code of this type, post it here (in static form) and I will keep it here for as long as I am allowed. What is the big hang up here? I am so sick of reading books that only speak on concept, which is very important mind you, but never give you a real line by line example of a working executable. Is that like going to med school and never being allowed to participate in a lab using a cadaver. Just use the text book, thats all you need right? Wrong! Part of the issue with moving this or any other overly technical topic to the desk of your CIO is that he/she understands what the hell you are talking about, and if you are where I am that means plain English (or whatever you native language may be). All of us "techies" get this (to some extent) but we are not in charge of the operation, so whoop-it-ee-doo! I have presented many time to CSIO's and CIO's and never once was it a technical presentation, it is mainly focused on how this will improve something currently a part of the business model and ROI. I am currently reading a great book, "The Web Application Hacker's Handbook," it just came out a few months ago. This is a great book by a very intelligent individual, but again there are no real examples. Lots of obfuscated "Hack Steps" but no real "attacks" like the book claims. I wanna see "...do this, then this... type this here, this is the token to modify for this reason..." plain and simple. I want to see the exact exploit they are referring to in their conceptual jargon. Conceptual examples are only good if you have a grasp of the concept or are in a classroom and can ask a question when you "don't get it." They do not work in a stand alone text book. When are these smart guys gonna get that? My complaint is that, number 1 I am no fool but I am certainly not at the level of knowledge that these guys are...however I am the guy in charge of this at a HUGE financial institution, and that is the case the world over. The experts developing these tools and SAAS's are NOT the guys using them for the betterment of the industry, it is people like me. So if I do not understand what the hell you are talking about, then I am totally useless in my role until I do and by that time it may be too late. The information is necessary right now. I am never going to reach their level, it is not my role. My role is to understand what is going on, from your ability to share your vast expertise in a way I can actually use in my professional role that makes an impact on the security posture or my organization. Why is it that "hackers" seemingly have the edge? This is why, no one wants to really share the right information on the professional front. Do hackers not share these secrets either? I am out in the real world not sitting in some classroom, I have not the time nor patience to wait until I realize an exploit first hand. Let me break this down for you. This is how it is...I am a UNIX Engineer by education and experience, my primary enterprise role. The reality is this, your role will expand and change in the professional environment. Companies do not just say "...OK, we want to do application vulnerability scanning now, lets go hire an expert..." they say "...OK we want to do application vulnerability scanning now, who do we currently employ that will no take this on..." That is the reality, unbelievable as it may seem.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!